1 00:00:02,050 --> 00:00:07,570 Walk into a module and identity theft or the methods and techniques for stealing user credentials from 2 00:00:07,570 --> 00:00:08,230 systems 3 00:00:11,150 --> 00:00:18,030 let's begin by attempting a classification what subtypes can credentials stealing attacks be divided 4 00:00:18,030 --> 00:00:20,300 into. 5 00:00:20,390 --> 00:00:26,540 We refer to it as indication credentials and not passwords since we are now aware that operating systems 6 00:00:26,900 --> 00:00:31,030 except for poorly designed systems don't store user passwords. 7 00:00:33,380 --> 00:00:39,970 The first type is an online credential stealing attack having accessed or gathered some credentials 8 00:00:40,270 --> 00:00:44,090 and attacker might attempt to recover a user's actual password from them. 9 00:00:45,730 --> 00:00:53,220 This sort of attack is very vicious and quite notorious if you hear that the database of Company X or 10 00:00:53,220 --> 00:00:54,480 Y has been leaked. 11 00:00:54,480 --> 00:00:57,550 Don't expect it to contain any plain text passwords. 12 00:00:59,670 --> 00:01:02,110 These type of databases are obsolete now. 13 00:01:04,080 --> 00:01:08,520 The leaked files will instead contain credentials or hashes generated from passwords. 14 00:01:10,640 --> 00:01:17,460 There is still the risk of course that having obtained the credentials and attacker can reverse a hash. 15 00:01:17,670 --> 00:01:19,710 We'll talk about how to do this in a minute. 16 00:01:21,710 --> 00:01:26,240 But attackers don't have to do it at all since they have credentials that are capable of authenticating 17 00:01:26,240 --> 00:01:30,750 them in a system passwords are irrelevant in this scenario. 18 00:01:33,020 --> 00:01:39,300 What's important are the L-N and the enty hashes and the TGT ticket. 19 00:01:39,350 --> 00:01:46,640 If an attacker has a TGT or a Hash user passwords are no longer a prerequisite. 20 00:01:46,730 --> 00:01:49,250 You can make good use of the credentials he got ahold of 21 00:01:54,130 --> 00:01:59,640 second class credentials stealing a tax or passive online attacks that intercept credentials send over 22 00:01:59,640 --> 00:02:04,540 a network after a successful interception. 23 00:02:04,550 --> 00:02:11,950 Their credentials are used to obtain a user's password or to impersonate the user in a system interception 24 00:02:11,950 --> 00:02:13,490 is a time consuming process. 25 00:02:13,570 --> 00:02:16,510 That doesn't always go well. 26 00:02:16,520 --> 00:02:22,790 That's why the man in the middle attacks or replay attacks are usually used to run it. 27 00:02:22,880 --> 00:02:25,730 We'll talk about one replay technique in particular soon 28 00:02:29,400 --> 00:02:36,040 active online attacks rely on cracking passwords and attacker doesn't have to have any cryptographic 29 00:02:36,040 --> 00:02:37,170 resources. 30 00:02:39,280 --> 00:02:40,910 He only knows something about the user. 31 00:02:40,920 --> 00:02:48,470 And we'll try to guess or determine that user's password if this knowledge proves insufficient the user 32 00:02:48,470 --> 00:02:50,900 for example has a secure password. 33 00:02:50,930 --> 00:02:54,110 It's very easy to detect and block an active online attack 34 00:02:56,880 --> 00:03:02,280 an effective countermeasure in that case is to enforce locking an account after a limit of failed logging 35 00:03:02,290 --> 00:03:03,370 attempts has reached 36 00:03:10,270 --> 00:03:14,610 the fourth category of credential attacks or strictly social engineering attacks. 37 00:03:17,250 --> 00:03:22,950 Why would anyone want to lose a days or weeks or a months time cracking a password if it's enough to 38 00:03:22,950 --> 00:03:25,310 politely ask a user to share it with you. 39 00:03:29,410 --> 00:03:31,610 How are online attacks constructed. 40 00:03:31,820 --> 00:03:37,160 What methods are used a brute force attack is one of the potential threats here. 41 00:03:38,900 --> 00:03:45,890 This is an exhaustive key attack that relies on checking all combinations of characters as you remember 42 00:03:45,890 --> 00:03:47,630 from the previous module. 43 00:03:47,830 --> 00:03:54,260 A successful brute force attack on enty land manager protocol takes from 10 to 20 with power to tend 44 00:03:54,260 --> 00:04:00,410 to the 600 the power operations depending on the strength of a user's password. 45 00:04:00,430 --> 00:04:07,960 This would take a lot of processing dictionary attacks or at the other side of the scale there is a 46 00:04:07,960 --> 00:04:15,290 list of potential or common passwords and each entry is checked one by one this check doesn't take long. 47 00:04:15,300 --> 00:04:18,610 There's little computing here. 48 00:04:18,850 --> 00:04:25,340 Remember then offline attack requires the possession of some cryptographic resource such as an entry 49 00:04:25,370 --> 00:04:29,300 or a LAN Manager hash. 50 00:04:29,440 --> 00:04:34,960 It's impossible even today to generate a list of all possible passwords and store it locally in the 51 00:04:34,960 --> 00:04:36,520 case of secure protocols 52 00:04:39,110 --> 00:04:46,740 possibly with land manager a good server would be able to store an exhaustive password database. 53 00:04:46,770 --> 00:04:50,000 Why did Microsoft decide to implement this protocol at all. 54 00:04:51,670 --> 00:04:57,820 Twenty years ago when Windows enty and Windows 95 operating systems were being developed nobody assumed 55 00:04:57,820 --> 00:05:01,990 that the solutions then used would still be implemented in 2012. 56 00:05:03,910 --> 00:05:09,730 Even 10 years ago hardware and software was evolving so fast that two new architectures were released 57 00:05:09,730 --> 00:05:17,200 in a year a year old computer was already outdated and unable to support many functionalities or run 58 00:05:17,200 --> 00:05:20,490 many applications. 59 00:05:20,700 --> 00:05:25,870 Nobody thought 20 years ago that the solutions then created will be in use for this length of time. 60 00:05:28,280 --> 00:05:35,050 The Year 2000 problem was the perfect example of this many programmers simply did not expect their code 61 00:05:35,050 --> 00:05:37,710 to remain in use for systems for so long. 62 00:05:40,840 --> 00:05:45,820 Coming back to online attacks we already know that calculating all possible combinations consumes a 63 00:05:45,820 --> 00:05:47,620 lot of computational power. 64 00:05:48,390 --> 00:05:56,230 And that's storing all calculated combinations is infeasible as it would require massive storage resources. 65 00:05:56,240 --> 00:06:01,620 Let's try to strike a balance. 66 00:06:01,630 --> 00:06:05,640 The tradeoff is provided by Rainbow timbales developed by Phillip Oaks Slinn 67 00:06:08,410 --> 00:06:11,220 instead of saving all possible hashes somewhere. 68 00:06:11,410 --> 00:06:16,680 You can only save some of them what hashes should be selected though. 69 00:06:17,690 --> 00:06:24,100 We don't know what would be the efficiency of a rainbow table. 70 00:06:24,110 --> 00:06:31,800 The trick is using a reduction function this function should be as random as possible. 71 00:06:31,820 --> 00:06:39,830 We don't base here on some arcane knowledge of hash generation or on user data we'd like to use a function 72 00:06:39,830 --> 00:06:45,600 that maps a hash to a corresponding password more or less randomly. 73 00:06:45,630 --> 00:06:52,680 The reduction function is the opposite of a hash function such as the M.D for empty five or shall one 74 00:06:52,680 --> 00:06:53,390 functions 75 00:06:58,440 --> 00:07:02,400 receive a first password in a rainbow table. 76 00:07:02,440 --> 00:07:06,190 Let's track a single chain. 77 00:07:06,280 --> 00:07:11,520 The first value is a password followed by a function that generates the hash from the password. 78 00:07:12,350 --> 00:07:17,730 For example a land manager or anti-landmine in your hash. 79 00:07:17,900 --> 00:07:24,330 Next we have a reduction function that is used to recover a password from the hash as we said. 80 00:07:24,450 --> 00:07:29,880 This is supposed to be random so the extracted password will not be the same password that was first 81 00:07:29,880 --> 00:07:30,620 entered. 82 00:07:32,650 --> 00:07:38,560 Regenerate a hash from a newly created password and next using a second reduction function. 83 00:07:38,560 --> 00:07:41,270 Regenerate a password from the hash and so on. 84 00:07:42,750 --> 00:07:48,930 This creates a single rainbow table chain instead of serving all combinations into the table. 85 00:07:48,940 --> 00:07:57,960 We only save and then point we save the starting password and the last computed hash to increase the 86 00:07:57,960 --> 00:08:01,630 chance of all possible passwords being contained in the rainbow table. 87 00:08:01,680 --> 00:08:05,330 There has to be a lot of chains in it. 88 00:08:05,390 --> 00:08:12,600 We had a second reduction function to improve the odds if each reduction function was displayed in a 89 00:08:12,600 --> 00:08:14,370 diagram in a different color. 90 00:08:14,580 --> 00:08:16,200 It would look like Rambo. 91 00:08:16,530 --> 00:08:24,220 Hence the name the rainbow table we took the best of the previous attack techniques. 92 00:08:24,220 --> 00:08:27,410 We have some things pre-computed and saved. 93 00:08:27,600 --> 00:08:33,180 The first password and the last hash but the data doesn't take too much space and can be stored on a 94 00:08:33,180 --> 00:08:37,290 standard hard disk. 95 00:08:37,370 --> 00:08:43,130 Now computing is simply reversing individual chains by comparing a password being cracked against the 96 00:08:43,130 --> 00:08:49,540 values returned by transformations that reverse the direction of the arrows in the chart. 97 00:08:49,620 --> 00:08:53,770 If there is a match we have found the password. 98 00:08:53,830 --> 00:08:58,690 If the values don't match it seems that we're not successful and the password is not contained in the 99 00:08:58,690 --> 00:09:02,440 chain in the rainbow table. 100 00:09:02,500 --> 00:09:08,200 We had to apply some computing power and use up some storage but overall this solution looks extremely 101 00:09:08,200 --> 00:09:09,040 effective.